Tripwire

Another amazing information came to me. Possibly a little late, but I am pretty sure, that many IT pro’s may be not aware of this.  What is known and obvious, is that we are using SIEMs for several purposes but the most critical one is: incident detection. The problem arises when it comes to large networks, and infrastructures – there is an issue, how to separate legitimate alerts from false-positives? When it comes to large volumes of data, the problem is getting event bigger. The idea of “external feeds” or “trusted sources” I suppose is also recognisable not only by IT security guys. It says, that we are getting information not only from logs, and flows in our SIEM, but also from another data sources. As an example – we can be given with the list of privileged users that have an access to the particular host, or  alerts from consulting companies, that “watch” our company from outside. Other trusted sources can be change and configuration data. These, listed sources of information can add the context to events/flows correlation and focusing IT Security Monitoring teams only on relevant alerts. And here is the power of new approach. I would like also to write about Tripwire VIA solution – which leaded me to some thoughts. 

First of all, Tripwire company and its solutions ... are awesome. I like this kind of fascination.  Tripwire VIA platform contains three components: Enterprise (configuration management), Log Center( log – event management) and Data Mart. As Tripwire says:

“As security breaches continue to rise(...). Log collection, retention and reporting are an accepted best practice for security and mandatory requirements of most regulatory policies. For years, though, log management solutions have generated a lot of  noise without helping detect threats”

Here comes Tripwire. Deploying SIEM is not an easy task. What is more ,incident detection and SIEM maintenance is another hard task. Of course, this is not the end of problems. Another need is the fact, that SIEM should obtain the rule - “easy-to-use”. Tripwire says that have a bunch of solutions, for these issues.  One of the greatest things about Tripwire VIA solutions is its approach to file integrity. Tripwire Enterprise give a brief insight into system configuration and status (compliance). Then this information is easily correlated with Log Center and gives a context, relationship between simply logs activities and changes that occurred on subject system. This is perfect approach that attract me the most. Again, awesome. Of course Tripwire supports standard capabilities such as queries, event correlation, trending analysis and dashboarding. What is more the statement of “active data” is introduced, saying that the data can be easily accessed even if the information is older (and possibly stored "deeper"). On the other hand it supports detecting incidents, risk management and following system integrity. Furthermore, I saw the methodology of rules construction – another great feature! I cannot say if graphical creation of rules (by drag and drop) is mature or not. What I think is that the newest SIEMs are very complex and very often is hard to combine the rule you really want to deploy. There comes also the problems with optimization and documentation. So yes, the graphical rule creator is a great feature, and possibly will make the incident detection process simpler – maybe this is another layer of prevention from the system , to build more efficient and complex rules. Dashboarding is another subject, and hopefully I will cover it next time. But here, just a quick hint – Tripwire gives the opportunity to watch most relevant logs on the “event relationship diagram” presenting nodes – as hosts – and connections. It is always a great idea to watch logs or metadata in more “human” friendly way, than raw events in real time streaming mode (aka tcpdump).

Ending, just several words about Tripwire components and mechanism. As Tripwire is known – I suppose so – because of it Enterprise component – it stores the data, encrypt it and applies a checksum to ensure its integrity. In the database it can also stores the vulnerabilities data for further reference and correlation. Other features, such as alerting, multi-platform support and logsources are known. On the other hand Tripwire enterprise is integrated with ESM solution developed by Arcsight. 

In my personal opinion, system – configuration – file integrity combined with log and other metadata give great, great base of information for incident detection and intrusion detection. These changes can be anything – files, executables, configs and other. Any suspicious behaviour can be simply checked by rules and alerting, but it can be difficult in big environment(storage issues). When it comes for post mortem analysis (intrusion) or malware incident response, I think that this kind of data is perfectly showing what was going on. Of cource, there are great tools for tacking software/files behaviour, but imagine that this can be automatic and raise an alert anytime.

Additional helpful abbreviations : GRC solutions (Governance, Risk, and Compliance), FIM solutions (File Integrity Monitoring), SCM solutions (Security Configuration Management).